fix(agentcore): addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment (#35842)

### Issue # (if applicable)

Closes #35844

### Reason for this change



The current `addToRolePolicy` for Runtime with imported role destroys and recreates policies on every deployment.

The reason is that `Date.now()` is used for a construct ID of a new Policy in the situation:

https://github.com/aws/aws-cdk/blob/v2.221.0/packages/%40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts#L253

```ts
  public addToRolePolicy(statement: iam.PolicyStatement): IBedrockAgentRuntime {
    // Check if role is a concrete Role instance
    if (this.role instanceof iam.Role) {
      this.role.addToPolicy(statement);
    } else {
      // For imported roles (IRole), we need to attach via a new policy
      const policy = new iam.Policy(this, `CustomPolicy${Date.now()}`, {
        statements: [statement],
      });
```

#### Reproduction

1. Deploy your stack with the following CDK code:

```ts
const app = new cdk.App();
const stack = new cdk.Stack(app, 'aws-cdk-bedrock-agentcore-runtime-with-imported-role');

const runtimeArtifact = agentcore.AgentRuntimeArtifact.fromAsset(
  path.join(__dirname, 'testArtifact'),
);

const role = new iam.Role(stack, 'ExecutionRole', {
  assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'),
});
const imported = iam.Role.fromRoleArn(stack, 'ImportedRole', role.roleArn);

const runtime = new agentcore.Runtime(stack, 'TestRuntime', {
  runtimeName: 'integ_test_runtime',
  agentRuntimeArtifact: runtimeArtifact,
  executionRole: imported,
});

runtime.addToRolePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:Query'],
  resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/my-table'],
}));
```

2. Deploy or diff the stack with the same CDK code again.

3. The change will occur:

```
      [-] AWS::IAM::Policy TestRuntimeCustomPolicy1761380931769044921D2 destroy
      [+] AWS::IAM::Policy TestRuntimeCustomPolicy1761381522330E0DC0D40
```

### Description of changes

Use `addToPrincipalPolicy` directly instead.

### Describe any new or updated permissions being added




### Description of how you validated changes



Both unit tests and an integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: go-to-k

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts

@@ -245,16 +245,7 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti
    * @returns The runtime instance for chaining
    */
   public addToRolePolicy(statement: iam.PolicyStatement): IBedrockAgentRuntime {
-    // Check if role is a concrete Role instance
-    if (this.role instanceof iam.Role) {
-      this.role.addToPolicy(statement);
-    } else {
-      // For imported roles (IRole), we need to attach via a new policy
-      const policy = new iam.Policy(this, `CustomPolicy${Date.now()}`, {
-        statements: [statement],
-      });
-      this.role.attachInlinePolicy(policy);
-    }
+    this.role.addToPrincipalPolicy(statement);
     return this;
   }
 

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/BedrockAgentCoreRuntimeWithImportedRoleDefaultTestDeployAssert640CC592.assets.json

@@ -0,0 +1,163 @@
+{
+ "Resources": {
+  "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "s3:GetObject",
+       "Effect": "Allow",
+       "Resource": "arn:aws:s3:::my-bucket/my-object"
+      },
+      {
+       "Action": "dynamodb:Query",
+       "Effect": "Allow",
+       "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
+      },
+      {
+       "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":ecr:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":repository/",
+          {
+           "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"
+          }
+         ]
+        ]
+       }
+      },
+      {
+       "Action": "ecr:GetAuthorizationToken",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "PolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D7",
+    "Roles": [
+     {
+      "Fn::Select": [
+       1,
+       {
+        "Fn::Split": [
+         "/",
+         {
+          "Fn::Select": [
+           5,
+           {
+            "Fn::Split": [
+             ":",
+             {
+              "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"
+             }
+            ]
+           }
+          ]
+         }
+        ]
+       }
+      ]
+     }
+    ]
+   }
+  },
+  "TestRuntime65042BB5": {
+   "Type": "AWS::BedrockAgentCore::Runtime",
+   "Properties": {
+    "AgentRuntimeArtifact": {
+     "ContainerConfiguration": {
+      "ContainerUri": {
+       "Fn::Join": [
+        "",
+        [
+         {
+          "Ref": "AWS::AccountId"
+         },
+         ".dkr.ecr.",
+         {
+          "Ref": "AWS::Region"
+         },
+         ".",
+         {
+          "Ref": "AWS::URLSuffix"
+         },
+         "/",
+         {
+          "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"
+         },
+         ":f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240"
+        ]
+       ]
+      }
+     }
+    },
+    "AgentRuntimeName": "integ_test_runtime",
+    "NetworkConfiguration": {
+     "NetworkMode": "PUBLIC"
+    },
+    "ProtocolConfiguration": "HTTP",
+    "RoleArn": {
+     "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"
+    }
+   },
+   "DependsOn": [
+    "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC"
+   ]
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}